Guest

Cisco Unified Communications Manager (CallManager)

How to Configure Unified Communications Manager Directory Integration in a Multi-Forest Environment

Document ID: 111979

Updated: May 07, 2011

   Print

Introduction

This document discusses how to configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Prerequisites

Requirements

Ensure that you meet these requirements:

  • Have knowledge of deploying and configuring Cisco Unified Communications Manager directory integration.

  • Are responsible for deploying, configuring, and maintaining Microsoft Active Directory Application Mode 2003 or Microsoft Active Directory Lightweight Directory Services 2008.

  • Your number of User Accounts to be synchronized does not exceed 60,000 accounts per Unified CM Publisher. When more than 60,000 accounts need to be synchronized, the IP Phone Services SDK must be used to provide a custom directory. Refer to the Cisco Developer Network for additional details.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Unified Communications Manager, Release 8.0(1), or later

  • Microsoft Active Directory Application Mode 2003 or Lightweight Directory Services 2008

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

Microsoft Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory Application Mode (ADAM), can be used to provide directory services for directory-enabled applications. Instead of using your organization’s Active Directory Domain Service (AD DS) database to store the directory-enabled application data, AD LDS can be used to store the data. AD LDS can be used in conjunction with AD DS, so that you can have a central location for security accounts (AD DS) and another location to support the application configuration and directory data (AD LDS). Using AD LDS, you can reduce the overhead associated with Active Directory (AD) replication. You do not have to extend the AD schema to support the application, and you can partition the directory structure, so that the AD LDS service is only deployed to the servers that need to support the directory-enabled application.

For more information, refer to the Background Information section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Active Directory Multiple Forest Support Scenario in Unified CM

The scenario is explained in the Active Directory Multiple Forest Support Scenario in Unified CM section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Domain Trust Relationship

For the authentication of the users to succeed, you need to have a trust between the domain where the ADAM instance is hosted and the other domain(s) that hosts the user accounts. This trust can be a one-way trust if required (outgoing trust from the domain that hosts the ADAM instance to the domain(s) that host the user accounts). Thus, the ADAM instance can forward the authentication requests to DCs in those account domains.

For more information, refer to the Domain Trust Relationship section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Install AD LDS

The steps to install AD LDS are explained in the Install AD LDS section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Install the Instance for Multiple-Forest Support

AD LDS can run different instances of the services with different ports, which allows for different user directory “applications” to be run on the same machine. By default, AD LDS chooses ports 389/LDAP and 636/LDAP. If the system already has any kind of LDAP services running, however, it uses ports 50000/LDAP and 50001/LDAPS. Each instance has a pair of ports that increment based on the previous numbers used.

For more information, refer to the Install the Instance for Multiple-Forest Support section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Copy the Schema from Each Domain to ADAM

This process needs to be repeated for each domain for which you need to synchronize.

Perform the steps in the Copy the Schema from Each Domain to ADAM section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Extend the AD LDS Schema with the User-Proxy Objects

The object for the proxy authentication needs to be created and the object class ‘user’ is not used. The object class being created, userProxy, allows the bind redirection. The object class detail needs to be created in an ldif file. For more information, refer to the Extend the AD LDS Schema with the User-Proxy Objects section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Import the Users from AD DC to AD LDS

Perform the steps in the Import the Users from AD DC to AD LDS section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Create the User in AD LDS for Unified CM Synchronization and Authentication

Perform the steps in the Create the User in AD LDS for Unified CM Synchronization and Authentication section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Configure Bind Redirection

By default, binding to ADAM with bind redirection requires an SSL connection. SSL requires the installation and use of certificates on the computer that is running ADAM and on the computer that connects to ADAM as a client. If certificates are not installed in your ADAM test environment, you can disable the requirement for SSL as an alternative.

For more information, refer to the Configure Bind Redirection section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Configure Unified CM

ADAM/AD LDS synchronization and authentication is supported in Unified CM version 8.0(1) and later.

Perform the steps in the Configure Unified CM section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Create a Custom LDAP Filter in Unified CM

Perform the steps in the Create a Custom LDAP Filter in Unified CM section of the document How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment.

Related Information

Updated: May 07, 2011
Document ID: 111979